2006.02.14 talk 3 Flamingo netflow visualization Manish (from BGP Inspect project from Merit) bgpinspect.merit.edu:8080 He'll be talking later at the Tools BOF as well apparently. Introduction: What is Flamingo? Visualization The Flamingo Tool combining visualizations with controls Case Studies traffic anomaly network scans worm traffic P2P traffic the slashdot effect. The tool has been under development for a year; John, in audience, and Mike (now employed) have been working on it as undergrads. It's just a view into netflow, no filters or adjustment of data it's just a visualization system. client/server architecture a single server can support multiple clients Visualation methods 5 different views extended quad tree implementation volume by src/dst IP prefix volume by src/dst AS Basic quad tree represent 32bit IP address into fixed space. 4 areas representable by 2 bits. Keep splitting 16 times, you represent 32 bit address in 2D mapping. convert it into 3 dimension, have an axis of freedom to represent additional info. So one side is the quad tree, the Z axis is volume of traffic, so you can see relative volumes. nice slide showing visualization of the traffic flow patterns. Can show traffic flows aggregated by src/dst IP; now there's 2 surfaces needed on the cube, so they use line thickness between the surfaces to show flow sizes between ASes. last visualization incorporates port info as well But since there's only one axis left; so now port level info is on z axis. so IP/port is X1Y1Z1; same for dest IP and port. Once there are coordinates, the line can be drawn, scale the width based on the volume, and now you have the full info in one view. Same colour used to represent traffic from the same source ntuple. combine 2D and 3D representation of data to help keep yourself oriented. They have text representatiosn of information, same as visual data, but in text form. Slider bars allow thresholding of what gets displayed, to prevent clutter; only over a certain size, or only certain ports, etc. Can also apply labels to help pull information out for fast refrence. You can also restrict the address space you care about to only look at certain subnets. Case study: Traffic anomaly sunday Oct 16, 2005 large burst of traffic from one host at umich, lasted 6 hours, four targets, not widely distributed, it was UDP traffic. Was visible in normal view. from 12pm to 6pm. visible on main view, zoomed in, and the 4 million flows show as a huge block. going to src/dest view lets you see where the traffic is going. adding the port info, and you see the entire port space is being sprayed. Another case study--worm traffic doing port 42 scans a fan view on the graph, highly visible. An artificial case study, a host scanning a /24 subnet SSH scans also show up as many many ports probing a single port; a reverse fan. Slashdot effect on campus Oct 31 2004; have before and during pictures showing the huge traffic swing. Zotob worm infection; random destination IPs, but same port, coming from same host, cone effect. P2P traffic; single host with multiple connections to different destinations, significant volume to each. Darkspace traffic visualizations show nothing but scans, show up really dramatically. Conclusion The Flamingo Visualization Tool provides users with the ability to easily explore and extract meaning information regarding traffic flows in their network. More will be discussed at the Tools BOF this afternoon. http://flamingo.merit.edu/ Break now, come back at 10:50. Someone left a jacket at the Yahoo party with a digital camera; describe it to the registration desk to get it back.